Tuesday, November 24, 2009

Forensic contest: Puzzle #1

I found this interesting website that post puzzles for interested indiviuals like myself to try and solve with the possiblilty of winning prizes too. The URL is http://forensicscontest.com/. In this blog, im gonna show you how to solve puzzle #1, http://forensicscontest.com/2009/09/25/puzzle-1-solution-anns-bad-aim.

1. Download the required pcap file, evidence.pcap from the website
2. First thing i did was open up the pcap file in wireshark and applied a display filter to look at the traffic to whom anns computer, 192.168.1.158 was involved in(ip.addr eq 192.168.1.158)
3. Upon analysis of the first few packets i determined the name of Ann's im buddy was "Sec558user1"
4. I right clicked on the first packet then selected "Follow tcp stream"
5. Upon further analysis, i've determined that the first comment in the conversation was "Here's the secret recipe. I just downloaded it from the file server. Just copy to a thumb drive and you're good to go"
6. To find out the name of the file that was transferred, there are two ways i used to determine that.
  • Method 1 command: "# strings evidence.pcap |more". This method can take awhile and is not the best but eventaully i saw the filename "recipe.docx"
  • Method 2. First i used tcpflow to seperate the streams then ran them through xxd.
    command: "# tcpflow -r evidence.pcap". I noticed a communication line between ann's computer and another local but unknown ip of 192.168.1.159. I then did "# xxd 192.168.001.158.05190-192.168.001.159-01272 | more". Voila, recipe.docx is being sent to some unknown user using the OFT protocol
7. A simple google search got me the necessary bytes being asked for, "50 4B 03 04"
8. convert the necessary file to a post-script plain hexdump file for editing purposes, "# xxd -ps 192.168.001.158.05190-192.168.001.159-01272 > hex.txt"
9. Open up the file in a text editor like kate and search for the magic bytes "504b0304". When you find these bytes removed everything before that then save the file.
10. run "# xxd -r -ps hex1.txt > recipe.docx". This converts the hex file back into a raw binary file. Bingo, we have our original file
  • An alternate way to do this, "# xxd -s +256 192.168.001.158.05190-192.168.001.159-01272 |xxd -s -256 -r > recipe.docx"
11. Get the MD5 sum of the file, "# md5sum recipe.docx", 8350582774e1d4dbe1d61d64c89e0ea1 recipe.docx
12. Using MS word to open the file you get:
Recipe for Disaster:
1 serving
Ingredients:
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar. Stir gently over low heat until sugar is fully dissolved. Remove the saucepan from heat. Allow to cool completely. Pour into gas tank. Repeat as necessary.

CASE SOLVED

No comments:

Post a Comment